Requirements/Need for GCC High

DKernus02 A requirement for GCC High may be inferred at CMMC Level 3+ where data protection of CUI is required.  Microsoft recommends the US Sovereign Cloud with Azure Government and Microsoft 365 Government (GCC High) to protect CUI.  I explain why in my article Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty.

Ultimately, cybersecurity frameworks like CMMC are applied to all Microsoft cloud environments consistently across the spectrum of services. Cybersecurity 'maturity' is often represented as the efficacy of process and automation of practices. There are specific control requirements that are unique to each cloud environment. For example, sovereign clouds such as Azure Government have controls in place for restricting access to only screened US persons with data processing and storage only within the Continental United States (CONUS). Sovereign clouds are more restricted in terms of the specificity of control requirements in relation to other cloud environments. Even though control requirements may vary from one cloud environment to another, each may demonstrate a level of cybersecurity maturity in alignment with CMMC. Accordingly, the current intent is to achieve compliance for all Microsoft cloud-based products and services that are in scope for DIB customers, alongside FedRAMP, NIST 800-53, NIST CSF, DISA SRG, etc. 

While commercial environments will be compliant, CMMC by itself will not be the decision factor on choosing which environment is most appropriate. Most DIB companies are best aligned with Azure Government and Microsoft 365 GCC High for data handling of CUI aligned with CMMC Level 3+. It will be a risk decision for your organization to decide on what high watermark for compliance matches your risk tolerance. 

For more information, please refer to Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings and Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty